HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-46855Published Modified CNA oracle

CVE-2026-46855: Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Metadata Plugin)

Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Metadata Plugin). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Enterprise Manager Base Platform. While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

Metrics

CVSS v3.1
9.9
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a critical-severity vulnerability in the Metadata Plugin component of Oracle Enterprise Manager Base Platform (versions 13.5 and 24.1). A low-privileged attacker with network access over HTTPS can exploit it without any victim interaction, and the scope of impact extends beyond the directly compromised component to other products in the environment. Successful exploitation results in full takeover of Oracle Enterprise Manager Base Platform, including complete loss of confidentiality, integrity, and availability. No fix version has been published yet; HarborGuard is tracking the advisory and will make a patched rebuild available the moment Oracle ships a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle Oracle Enterprise Manager Base Platform components. Any image containing an affected version (13.5 or 24.1) of the Oracle Enterprise Manager Base Platform will surface in scan results automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 9.9 Critical and is capable of weighting findings against each customer organization's compliance policy to determine urgency and routing. Triage alerts are routable to the appropriate team inbox within each customer org based on policy configuration.

Available
Patch

Because no upstream fix has been published for this CVE, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released. In the interim, compensating controls such as network-policy isolation restricting HTTPS access to Oracle Enterprise Manager endpoints, and egress filtering, are available for customers to apply via HarborGuard policy configuration.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the Oracle Enterprise Manager Base Platform service over the network via HTTPS; local or physical access is not required.

  • AuthenticationRequired

    Any low-privilege account on the platform is sufficient; no administrative or elevated credentials are needed beyond basic authenticated access.

  • Victim interactionNot required

    No victim action such as clicking a link or opening a file is needed; the attacker can exploit this entirely on their own initiative.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, memory layout, or other variable environmental factors.

Blast Radius

  • A successful attacker reads all data managed by Oracle Enterprise Manager Base Platform, including monitoring credentials, target host metadata, and stored configuration secrets.
  • The attacker can modify or delete any persisted configuration, monitoring rules, or managed-target data across the platform.
  • The attacker can crash or render the Oracle Enterprise Manager Base Platform service unavailable, disrupting monitoring and management of all connected targets.
  • Because the CVSS scope is changed, the attacker gains a foothold capable of pivoting to other products and systems that the Enterprise Manager platform manages or has credentials for.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-46855 is active across customer environments, matching images that include Oracle Enterprise Manager Base Platform 13.5 or 24.1. Because Oracle has not yet published a fix version, no patched rebuild can be generated at this time. HarborGuard will re-check the Oracle advisory on every ingest cycle and, for customers with auto-remediation enabled, will trigger a rebuilt image, a regression-test run, and a PR opened against affected workloads the moment a fix version is published upstream. In the meantime, customers are encouraged to apply compensating controls: restricting network-policy access to Oracle Enterprise Manager HTTPS endpoints to only authorized source IP ranges, applying egress filtering to limit lateral movement from a compromised instance, and auditing which low-privilege accounts have access to the Metadata Plugin interface. Customers whose compliance policy flags Critical-severity unpatched CVEs will receive automatic escalation routing through HarborGuard's triage pipeline.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle Enterprise Manager Base Platform
    13.5 · 24.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References